Microsoft Edge Security with Windows Defender Application Guard 9/11/2018 4:41 AM Microsoft Edge Security with Windows Defender Application Guard Chas Jeffries Principal Program Manager Windows Enterprise and Security © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Agenda Threat Landscape Windows Defender Application Guard Overview Demo Containers Q&A
Evolution of attacks Mischief Fraud and theft Damage and disruption 9/11/2018 Evolution of attacks Mischief Script kiddies Unsophisticated Fraud and theft Organized crime More sophisticated Damage and disruption Nations, terror groups, activists Very sophisticated and well resourced © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION
Attacks happen fast and are hard to stop 9/11/2018 Attacks happen fast and are hard to stop If an attacker sends an email to 100 people in your company… …30 people will open it… …12 people will open the attachment or click on the link… …and all will do it in the 3 minutes 45 seconds… Source: Verizon 2016 Data Breach Investigations Report © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION
Anatomy of an attack ENTER ESTABLISH EXPAND ENDGAME 9/11/2018 Anatomy of an attack ATTACK Browser or doc exploit delivery USER Malicious attachment delivery ENTER Phishing attacks DEVICE Kernel exploits ESTABLISH Kernel-mode malware NETWORK Credential Theft EXPAND ENDGAME Business disruption Lost productivity Data theft Espionage, loss of IP Ransom © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION
Anatomy of an attack: strontium 9/11/2018 Anatomy of an attack: strontium ATTACK Mon, 9 November 2015, 13:20 RE: Mission In Central African Republic John Smith John Smith <defense.adviser.smith@gmail.com> Dear Sir! Please be advised that The Spanish Army personnel and a large number of Spanish Guardia Civil officers currently deployed in the Central African Republic (CAR) as part of the European EUFOR RCA mission will return to Spain in early March as the mission draws to a close. Visit http://natoint.com/900117-spain-forces-conclude-mission-in-central-african-republic/ for additional info. Best regards, Capt. John Smith, Defence Adviser, Public Diplomacy Division NATO, Brussels Defence.adviser.smith@gmail.com USER PHISHING DEVICE Browser or Doc Exploit Execution NETWORK PASS-THE-HASH ENDGAME Theft of sensitive information, disruption of government. © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION
Anatomy of an attack: strontium 9/11/2018 Anatomy of an attack: strontium 1 2 3 ATTACK USER PHISHING DEVICE Browser or Doc Exploit Execution NETWORK PASS-THE-HASH Land on exploit page Exploit runs Redirected to legitimate page ENDGAME Theft of sensitive information, disruption of government. © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION
Normal looking website 9/11/2018 © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION
Anatomy of an attack: strontium 9/11/2018 Anatomy of an attack: strontium ATTACK USER PHISHING DEVICE Browser or Doc Exploit Execution NETWORK Attacks hard to clean up and are very costly PASS-THE-HASH ENDGAME Theft of sensitive information, disruption of government. © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION
Microsoft’s security posture 9/11/2018 Microsoft’s security posture Protect Detect Respond Today’s cloud-first, mobile-first world demands the highest level of identity & data security Comprehensive monitoring tools to help you spot abnormalities and respond to attacks faster Leading response and recovery technologies plus deep consulting expertise At Microsoft our overall security vision is focused around the idea of protect, detect, and defend… <talk a bit about what each means in the larger context> © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION
Protect Detect Respond Windows 7 Windows 10 9/11/2018 Protect Detect Respond Windows 7 Trusted Platform Module (TPM) SmartScreen BitLocker BitLocker to Go Windows 10 Windows Trusted Boot Microsoft Edge Windows Defender Windows Hello Companion Device Framework Windows Information Protection Windows Defender Advanced Threat Protection Legacy or Modern Devices (Upgraded from Win 7 or 32-bit Windows 8) Virtualization based security UEFI Secure Boot Device Guard Credential Guard Device Encryption Security management Conditional Access Windows Hello Biometric Sensors Modern Devices (Fresh install or upgrade from 64-bit Win 8 ) (Click) Windows 7 delivered support for TPM, and data protection features like BitLocker. We also introduced the first version of our SmartScreen service… (Click) …but clearly you need more today. Now with Windows 10 we are giving YOU more tools and features to protect your business. (Call out one or two features quickly)… (Click) …and when you are running W10 on modern hardware you get some of the most powerful security features… So when thinking about what you want to use to protect your business, it’s clear Windows 10 is a huge step forward… When I look at this list what I’m most proud of are the investments we have made in containerization/virtualization and in identity. © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION
Current threat landscape Driving the need for hardware based isolation Our research indicates that there has been a dramatic increase in kernel exploits over the past two years Source: MSRC and Microsoft One Protection Team
Traditional platform stack 9/11/2018 Apps Windows Platform Services Traditional platform stack Kernel Device Hardware © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION
Hardware based isolation 9/11/2018 System Container Kernel Device Guard Credential Guard Trustlet Apps Hardware based isolation Windows 10 Windows Platform Services Kernel Device Hardware Hypervisor © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION
Microsoft Edge with Windows Defender Application Guard 9/11/2018 Microsoft Edge with Windows Defender Application Guard Moves browser sessions to an isolated, virtualized environment Provides significantly increased protection and hardens attacker favorite entry-point Device Hardware System Container Kernel Windows Platform Services Microsoft Edge Hypervisor (Hyper-V) Critical System Processes Apps © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION
Application Guard Experience
User receives a suspicious email, unwittingly the user clicks the link.
Natoint.com A new browser window appears, with window decoration and notification that the site the user wants to open is not an enterprise site and needs to open in a container.
The malware runs and the container is infected. Natoint.com A new browser window appears, with window decoration and notification as the user lands on an untrusted website. The malware runs and the container is infected.
Natoint.com The user closes the Edge window and the session is discarded when the user logs off.
Back on the host, all is good Back on the host, all is good. The malware was not able to jump out of the container, it’s isolated to the container.
Demo Windows Defender Application Guard
Next Generation Client Containers
WDAG Internals Enterprise client (Host) Host browser GP or MDM POLICY SITE LIST Host browser Browser plug-in GP or MDM Microsoft Edge Browser plug-in Policy store Read Windows Platform Services Enterprise client (Host) Management Hypervisor Security Isolation (HVSI) Notification of a new URL Kernel Windows Platform Services Hypervisor Kernel Virtual Switch Virtual Switch plug-in
WDAG Internals Enterprise client (Host) Host browser GP or MDM POLICY SITE LIST Host browser Browser plug-in GP or MDM Microsoft Edge Browser plug-in Policy store Read Windows Platform Services Enterprise client (Host) Management Hypervisor Security Isolation (HVSI) Kernel Lookup fails, inject into Container Windows Platform Services Hypervisor Kernel Virtual Switch Virtual Switch plug-in
Productivity Features Windows Defender Application Guard
Windows Defender Application Guard Kernel Windows Platform Services Microsoft Edge Non-enterprise sites Windows Host OS Enterprise sites Clipboard Controlled with policy, users can copy and paste plain text and graphics from the container to the host
Printing from a container Controlled through policy, users can print web content and documents from a container Windows Host OS Kernel Windows Platform Services Microsoft Edge Enterprise sites
Persistence of user state between sessions The state of the container is persisted between sessions, i.e. cookies, remembered passwords, favorites, temporary files will be persisted from session to session in a container using temp VHD VM VHD HOST
Where can I try it? Microsoft Technology Adoption (TAP) Program TAP is a pre-release program run by Windows engineering to obtain deep customer feedback, early and throughout the development cycle to ensure new technology investments meets the needs of the marketplace Interested in joining TAP? Contact to email osnext@microsoft.com Microsoft Windows Insider Program (WIP) This program is designed exclusively for people who want be involved in the process. So if you want to help us build the best Windows yet, we want you to join us. be first to experience the new ideas and concepts we’re building. In return, we want to know what you think. You’ll get an easy-to-use Feedback Hub app to send us your feedback, which will help guide us along the way Interested in joining WIP? Visit https://insider.windows.com/
Redstone 3 TAP TAP is a pre-release program run by Windows engineering to obtain deep customer feedback, early and throughout the development cycle to ensure new technology investments meets the needs of the marketplace. TAP is not a Deployment Support Program Criteria for participation Actively deploying Windows 10 Leading edge in adopting new technologies Has a long term vision on IT Strategy and willing to share Willing to commit resources to participate and invest in program partnership Willing to share feedbacks through Yammer. Next Steps Contact to email osnext@microsoft.com TAP team will follow up with your account manager.
Questions?
9/11/2018 4:41 AM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Planning and environment setup HW requirements CPU – 64bit with virtualization extensions RAM – 4GB min, 8GB recommended Windows 10 Enterprise RS3 TAP Miscellaneous Enable CPU virtualization from BIOS
Planning and environment setup 1. Install Turn Windows feature on or off PowerShell (Covers SCCM, MDT, etc.) 2. Configure Group Policies (ADMX) System Center (Configuration Manager) Microsoft Intune 3. Enable Group Policies (ADMX) System Center (Configuration Manager) Microsoft Intune